Skip to main content

๐Ÿ›ก๏ธ AWS RDS Instance uses default endpoint port๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Instance uses default endpoint port๐ŸŸข
  • ID: /ce/ca/aws/rds/instance-default-port
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

  • Internal: dec-x-fd0bfd1b

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-fd0bfd1b1

Descriptionโ€‹

Open File

Descriptionโ€‹

Ensure that your Amazon RDS database instances are not using their default endpoint ports (e.g., MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432) to enhance security through port obfuscation. Changing the default endpoint ports can add an extra layer of defense against non-targeted attacks.

Rationaleโ€‹

Using default endpoint ports for Amazon RDS database instances can make them more susceptible to automated attacks and scans that target common database ports.

Port obfuscation adds an extra layer of security by making it more difficult for attackers to identify and target your database instances. Non-standard ports are less likely to be targeted by generic scanning and exploitation tools, reducing the overall attack surface of your database environment.

Auditโ€‹

This policy evaluates the following endpoint port configurations of Amazon RDS database instances:

Database EngineDefault Port
MySQL/Aurora/MariaDB3306
PostgreSQL/Aurora5432
Oracle1521
Microsoft SQL Server1433

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Command Lineโ€‹

Modify the Endpoint Portโ€‹

For each incompliant RDS instance, modify the endpoint port to a non-default value. Ensure the new port is within the allowed range and does not conflict with other services.

Run the following command to modify the port of a specific RDS instance:

aws rds modify-db-instance 
--db-instance-identifier {{db-instance-identifier}}
--port {{new-port}} 
--apply-immediately

Replace {{db-instance-identifier}} with the ID of your RDS instance and {{new-port}} with the new port number.

To apply changes immediately rather than in the next maintenance window, use the --apply-immediately parameter when calling the AWS CLI.

Update Security Groupsโ€‹

Ensure that the security groups associated with your RDS instances allow inbound traffic on the new port.

Run the following command to update the security group:

aws ec2 authorize-security-group-ingress 
--group-id {{security-group-id}} 
--protocol tcp 
--port {{new-port}} 
--cidr {{your-cidr-block}}

Replace {{security-group-id}} with the ID of your security group, {{new-port}} with the new port number, and {{your-cidr-block}} with your IP range.

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [RDS.23] RDS instances should not use a database engine default port11no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Threat Protection48no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)23799no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1158no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10877no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)44no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)19no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)33no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)45no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)183no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)58no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)763no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)44no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)19no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events167no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events168no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained84no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected178no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected154no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected174no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage116no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement3269114no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3758no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29484no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services44no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception419no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic33no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components34no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components33no data